action.yaml

name: "Security Code Scanner"
inputs:
  repo:
    description: "Repo to be scanned"
    required: true
  paths_ignored:
    description: "Comma delimited paths to ignore during scan"
    required: false
  rules_excluded:
    description: "Comma delimited IDs of rules to exclude"
    required: false
  mixpanel_project_token:
    description: "Mixpanel project token"
    required: false
  project_metrics_token:
    description: "Analytics token to log failed builds"
    required: false
  slack_webhook:
    description: "Slack webhook for notifications"
    required: true

runs:
  using: "composite"
  steps:
    - name: Check out repo to scan
      uses: actions/checkout@v4
      with:
        repository: ${{ inputs.repo }}
        path: ${{ inputs.repo }}
    
    - name: Set up Node.js
      uses: actions/setup-node@v4
      with:
        node-version: 20

    - name: Install dependencies
      working-directory: ${{github.action_path}}
      run: yarn --immutable
      shell: bash

    - name: Check if GHAS is enabled
      working-directory: ${{github.action_path}}
      id: advanced_security_check
      env:
        GITHUB_TOKEN: ${{ github.token }}
      run: yarn run check-ghas
      shell: bash

    - name: CodeQL Scan
      id: codeql-scan
      continue-on-error: true
      uses: MetaMask/CodeQL-action@main
      with:
        repo: ${{ inputs.repo }}
        paths_ignored: ${{ inputs.paths_ignored }}
        rules_excluded: ${{ inputs.rules_excluded }}

    - name: Semgrep Scan
      id: semgrep-scan
      continue-on-error: true
      uses: MetaMask/Semgrep-action@main
      with:
        paths_ignored: ${{ inputs.paths_ignored }}

    - name: Determine Overall Scan Success
      shell: bash
      env:
        CODEQL_SCAN_RESULT: ${{ steps.codeql-scan.outcome }}
        SEMGREP_SCAN_RESULT: ${{ steps.semgrep-scan.outcome }}
      run: |
        if [[ "$CODEQL_SCAN_RESULT" == "failure" || "$SEMGREP_SCAN_RESULT" == "failure" ]]; then
          SCAN_RESULT='failure'
        else
          SCAN_RESULT=$CODEQL_SCAN_RESULT
        fi
        echo "SCAN_RESULT=$SCAN_RESULT" >> $GITHUB_ENV

    # TODO check if we are blocking PR, e.g if we are on a PR and the scan failed, then fail the PR
    - name: Post to a Slack channel
      id: slack
      if: ${{ env.SCAN_RESULT == 'failure' && inputs.slack_webhook != '' }}
      uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844
      with:
        payload: |
          {
            "text": "Scan failed for run:https://github.com/${{inputs.repo}}/actions/runs/${{ github.run_id }}",
            "channel": "#mm-appsec-tooling-notifications"
          }
      env:
        SLACK_WEBHOOK_URL: ${{ inputs.slack_webhook }}
        SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

    - name: Save run metadata to mixpanel
      if: ${{ env.inputs.mixpanel_project_token != '' }}
      working-directory: ${{github.action_path}}
      env:
        MIXPANEL_PROJECT_TOKEN: ${{ inputs.mixpanel_project_token}}
        RUN_REPO: ${{ inputs.repo }}
        RUN_ID: ${{ github.run_id }}
        CODEQL_SCAN_RESULT: ${{ env.SCAN_RESULT }}
      run: yarn run log-to-mixpanel
      shell: bash

    - name: Finish on failure
      if: ${{ env.SCAN_RESULT == 'failure' }}
      shell: bash
      run: exit 1